A user should not replace important control firmware, for example a Basic Input/Output System (BIOS) firmware in a computing platform, unless the replacement is via an approved process using approved firmware. Typically, approved firmware is provided by the computer platform manufacturer (often referred to as the OEM, or original equipment manufacturer) or other party trusted by the OEM. This is because the firmware in a BIOS typically controls the platform to augment platform hardware and other firmware, ensures that the platform operates within safe working parameters (such as safe supply voltages and chip temperatures), and/or affects the security of the platform (for example, because a BIOS may contain a root of trust in a so-called ‘trusted platform’). If an unapproved BIOS is installed, it may prevent the platform from working properly, operate the platform outside a safe zone and cause actual damage to the platform, degrade the lifetime of the platform, or degrade the security of the platform. Moreover, if an unapproved BIOS is replaced subsequently with an approved BIOS, all evidence of the unapproved BIOS may be removed from the platform, potentially leaving the platform damaged or degraded without evidence as to why, and/or leaving no evidence that the correct operation or security of the platform may have been compromised.
While it would be an option to provide mechanisms which prevent BIOS replacement (for example by preventing re-flashing), this might deter parties having legitimate reasons for updating a BIOS from buying the respective platforms, or stimulate the emergence of the production of “mod-chips”, for example, which can be piggy-backed onto BIOS chips, thereby to modify the operation of the BIOS in a known and potentially subversive way. Such physical alterations are very difficult (and even sometimes impossible) to remotely detect, can subvert the security of a trusted platform, and could damage the market for trusted platforms, by damaging overall confidence that trustable remote communications are possible with trusted platforms. Therefore, preventing BIOS replacement entirely may not be an appropriate solution.
Some trusted computing platforms contain a component, known as a Trusted Platform Module (TPM), which is at least logically protected from subversion. Such components have been developed by the companies forming the Trusted Computing Group (TCG). The TCG develops specifications in this area, for example the “TCG TPM Specification” Version 1.2, which is published on the TCG website https://www.trustedcomputinggroup.org/. The implicitly trusted components of a trusted computing platform enable measurements of the trusted computing platform and are then able to provide these in the form of integrity metrics to appropriate entities wishing to interact with the trusted computing platform. The receiving entities are then able to determine from the consistency of the measured integrity metrics with known or expected values that the trusted computing platform is operating as expected.
Trusted computing platforms of this kind should only operate with approved BIOS firmware, and mechanisms can be provided to prevent BIOS upgrades unless the firmware is cryptographically verified in an appropriate way. Outside of trusted computing, similar issues arise with motor vehicles, and the ability to ‘chip’ engine management firmware to improve performance; but risking damage to the vehicle by over-stressing.